Community discussions

MikroTik App
 
robertEIT
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Tue Sep 08, 2015 6:16 pm

Hotspot - isolate private LAN from Hotspot users

Sun Jun 18, 2017 6:54 pm

Hi guys,
I've just set up a Hotspot on my RB951 at work using a virtual AP named wlan2 attached to wlan1.

I have PPPoE client on eth1, eth2 to eth5 in a bridge wit wlan1.

My LAN and wlan1 are my private network and I noticed that connected Hotspot users CAN access devices in my private LAN. I would like to block them from accessing anything other that the Internet, preferably themselves also, client isolation. Is is enough to a a dd a firewall rule on the forward chain to drop access from 10.5.0.0/24 (Hotspot pool) to 192.168.1.0/24 (private LAN)?

Sent from my STH100-2 using Tapatalk
 
robertEIT
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Tue Sep 08, 2015 6:16 pm

Re: Hotspot - isolate private LAN from Hotspot users

Thu Jun 29, 2017 2:30 am

Ok, I managed to test some configurations today.

What I did it this :

I checked "default forward" in the wireless settings for my wlan1 wich is my private wifi, this enables wifi devices to acces my LAN and vice versa.

I unchecked "default forward" on wireless settings for wlan2 wich is my Hotspot interface. This I understand, is the "client isolation" in Mikrotik words. This prevents wireless devices connected to my hotspot to see each other, wich is what I want, they should only be able to access the internet

I then created a rule in the firewall, in the forward chain, source network 10.5.0.0/24 destination network 192.168.1.0/24 action DROP. In my theory this prevents Hotspot devices from accessing my private LAN. I guess I should also create a rule that prevents my private LAN devices from accessing the Hotspot devices, I'll just have to use 192.168.1.0/24 as source network and 10.5.0.0/24 as destination network with action DROP.

It seems to do the job for now, I'll keep testing to see if I missed something.

If anyone has any suggestions, please reply!

Thanks

Sent from my STH100-2 using Tapatalk
 
aliegeni
just joined
Posts: 3
Joined: Sun Sep 03, 2017 8:16 pm

Re: Hotspot - isolate private LAN from Hotspot users

Sun Sep 03, 2017 8:21 pm

Isn't it safer to make firewall filter rules based on interfaces rather than network to prevent someone manually change IP address?

Who is online

Users browsing this forum: No registered users and 29 guests